[Snort-users] BOHTTP/BrownOrifice/Netscape ServerSocket sigs

Max Vision vision at ...4...
Tue Aug 8 21:42:02 EDT 2000


I saw that :)  Actually I'm glad you mentioned the directory traversal
rules at Whitehats - they were in vision-old.conf but hadn't been
entered into arachNIDS yet.  I just did so:

IDS297/http-directory-traversal1    http://whitehats.com/IDS/297
IDS298/http-directory-traversal2    http://whitehats.com/IDS/298

Here is the background I wrote for them:
Numerous web servers and CGI scripts are vulnerable to directory traversal
attacks. In many cases the web application may intend to allow access to a
particular portion of the filesystem. Without proper checking of user
input, a user could often add ".." directories to the path allowing access
to parent directories, possibly climbing to the root directory and being
able to access the entire filesystem. There are *MANY* Bugtraq and CVE
entries that match this vulnerability: CVE entries: CVE-1999-0842,
CVE-1999-0887, CVE-2000-0436, CAN-2000-0443, and BUGTRAQ numbers: 620,
689, 699, 743, 746, 772, 773, 827, 896, 921, 950, 968, 989, 1067, 1102,
1103, 1144, 1164, 1169, 1231, 1243, 1278, 1344, 1455, 1462, 1471, 1508,
1537.

Max Vision
http://whitehats.com/

On Tue, 8 Aug 2000, Ryan Russell wrote:
> There's already an advisory out on it as well, it's vulnerable to .. games
> in the filenames.  See today's Bugtraq archives.  I assume there is
> already a Whitehats rule to catch .. in URLs?
> 
> 					Ryan
> 
> On Tue, 8 Aug 2000, Max Vision wrote:
> 
> > Hi,
> > 
> > I can't find the reference email anywhere but someone asked me if there
> > were signatures to detect this.  I have written two, one for the java
> > bytecode download, and another for a successful trojan installation:
> > 
> > IDS294/trojan-netscape-java-serversocket 
> > http://whitehats.com/IDS/294
> > 
> > IDS295/trojan-netscape-java-brownorifice 
> > http://whitehats.com/IDS/295
> > 
> > Max Vision
> > http://whitehats.com/
> > 





More information about the Snort-users mailing list